Auth permission should honour the token scope

2025-03-01 10:36:34 +00:00 · 2015-03-29 21:59:48 +01:00
parent 216b5fba7a
commit c8d6dc2531
5 changed files with 56 additions and 28 deletions
--- a/red/api/auth/index.js
+++ b/red/api/auth/index.js
@@ -49,7 +49,7 @@ function needsPermission(permission) {
                if (!req.user) {
                    return next();
                }
-                if (permissions.hasPermission(req.user,permission)) {
+                if (permissions.hasPermission(req.authInfo.scope,permission)) {
                    return next();
                }
                return res.send(401);
@@ -101,7 +101,7 @@ module.exports = {
    errorHandler: function(err,req,res,next) {
        //TODO: standardize json response
        //TODO: audit log statment
-        //console.log(err.stack);
+        console.log(err.stack);
        //log.log({level:"audit",type:"auth",msg:err.toString()});
        return server.errorHandler()(err,req,res,next);
    },
--- a/red/api/auth/permissions.js
+++ b/red/api/auth/permissions.js
@@ -19,17 +19,36 @@ var util = require('util');
 var readRE = /^((.+)\.)?read$/
 var writeRE = /^((.+)\.)?write$/

-function hasPermission(user,permission) {
-    if (!user.permissions) {
-        return false;
-    }
-    if (user.permissions == "*") {
+function hasPermission(userScope,permission) {
+    var i;
+    if (util.isArray(userScope)) {
+        if (userScope.length === 0) {
+            return false;
+        }
+        for (i=0;i<userScope.length;i++) {
+            if (!hasPermission(userScope[i],permission)) {
+                return false;
+            }
+        }
        return true;
    }
-    if (user.permissions == "read") {
-        return readRE.test(permission);
+    
+    if (userScope == "*") {
+        return true;
    }
-    else {
+    
+    if (util.isArray(permission)) {
+        for (var i=0;i<permission.length;i++) {
+            if (!hasPermission(userScope,permission[i])) {
+                return false;
+            }
+        }
+        return true;
+    }
+    
+    if (userScope == "read") {
+        return readRE.test(permission);
+    } else {
        return false; // anything not allowed is disallowed
    }
 }
--- a/red/api/auth/strategies.js
+++ b/red/api/auth/strategies.js
@@ -24,6 +24,7 @@ var util = require("util");
 var Tokens = require("./tokens");
 var Users = require("./users");
 var Clients = require("./clients");
+var permissions = require("./permissions");

 var bearerStrategy = function (accessToken, done) {
    // is this a valid token?
@@ -79,13 +80,17 @@ var passwordTokenExchange = function(client, username, password, scope, done) {

    Users.authenticate(username,password).then(function(user) {
        if (user) {
-            loginAttempts = loginAttempts.filter(function(logEntry) {
-                return logEntry.user !== username;
-            });
-            Tokens.create(username,client.id,scope).then(function(tokens) {
-                // TODO: audit log
-                done(null,tokens.accessToken);
-            });
+            if (permissions.hasPermission(user,scope)) {
+                loginAttempts = loginAttempts.filter(function(logEntry) {
+                    return logEntry.user !== username;
+                });
+                Tokens.create(username,client.id,scope).then(function(tokens) {
+                    // TODO: audit log
+                    done(null,tokens.accessToken);
+                });
+            } else {
+                done(null,false);
+            }
        } else {
            // TODO: audit log
            done(null,false);